Internet of Things (IoT)

Quick links

Updates

Cybersecurity researchers at F5 Networks and their data partner Loryka reported that cyber-attacks on Finland, which is not typically a top attack destination country, dramatically increased from 12 July until the Trump-Putin summit. The researchers claim that the majority of the attacks were brute force attacks against SSH, a type of attacks commonly used to exploit IoT devices online. According to F5 Networks, ChinaNet was the top network used to launch attacks from, both before the Trump-Putin summit and during the attack spike. However, researchers noted that there is no data to suggest the attacks against Finland were successful.

In May 2018, a family in Portland, USA reported that their Amazon Echo smart speaker had recorded snippets of private conversations and sent them to a random person in their contact list. Amazon explained that the device had subsequently misinterpreted several pieces of the conversation and this is why it ended up behaving as reported. But the incident has sparked controversy over the privacy implications of Echo-like devices and the privacy-related policies of their manufacturers. In light of this case, two members of the US Senate – Jeff Flake and Chris Coons, who serve as chairman and ranking member of the Judiciary Subcommittee on Privacy, Technology and the Law – sent a letter to Amazon CEO Jeff Bezos, asking for clarifications on how the Echo device functions (when and how frequently it sends data to Amazon servers, how long the recordings are stored, and how the recorded data is anonymised) and what actions the company is taking to protect the privacy of their users. The senators also ask Amazon to indicate the number of complaints it has received about Echo misinterpreting commands.

A recently released report by the US organisation Securing America’s Future Energy (SAFE) concluded that the economic benefits that may be brought by the widespread adoption of autonomous driving technology might surpass common concerns related to labour market destabilisation and job dislocation. Job dislocation and contribution to unemployment might not be as severe as commonly suspected, as new jobs and other economic benefits would compensate for any expected labour market disruption.​ The report recognises that some groups might be more seriously affected by job dislocation than others, and recommends policymakers to fully support autonomous vehicle deployment while, in parallel, lay the groundwork for the requalification of the workforce.

In May 2018, a bill was introduced in the US Congress under the heading 'Preventing Emerging Threats Act of 2018', intending to 'assist the Department of Homeland Security (DHS) in preventing emerging threats from unmanned aircraft and vehicles'. The bill would, among others, authorise the DHS or the Department of Justice to take actions necessary to mitigate the threats that drones could pose 'to the safety and security of a covered facility or asset'. These actions could include detecting, identifying, monitoring and tracking the drone, disrupting control of the drone, seizing or exercising control of the drone, or using reasonable force to disable, damage or destroy it. The bill was subject to a hearing in the US Senate Committee on Homeland Security and Governmental Affairs, on 6 June 2018. During the hearing, officials from the US government argued in favour of the bill, noting that 'the threats posed by malicious drones are too great to ignore' and expressing concerns that 'criminals and terrorist will exploit [drones] in ways that pose a serious threat to the safety of American people'. While US authorities advocated in favour of new powers to allow them to counter threatening drones, civil society groups expressed concerns over the bill's provisions. The Electronic Frontier Foundation noted, for example that 'many of the bill’s key terms are undefined, but it is clear that it provides extremely broad authority, exempting officials from following procedures that ordinarily govern electronic surveillance and hacking, such as the Wiretap Act, Electronic Communications Privacy Act, and the Computer Fraud and Abuse Act'.

The European Commission has announced a set of measures aimed at promoting 'safe, clean and connected mobility' and allowing 'all Europeans to benefit from safer traffic, less polluting vehicles and more advanced technological solutions, while supporting the competitiveness of the EU industry'. Among them is a communication entitled 'On the road to automated mobility: An EU strategy for mobility of the future', which outlines a set of actions aimed at achieving the EU's ambition of becoming 'a world leader in the deployment of connected and automated mobility'. The Commission notes that current EU legislation is largely suitable to allow automated and connected vehicles to be put on the market, but that new regulatory changes would be needed to create a 'harmonised, complete and future-proof framework for automation'. Other critical areas of focus outlined in the communication include: (a) allocating investments in technologies and infrastructure for automated mobility; (b) ensuring an internal market for the safe take-up of automated mobility (by elaborating guidelines for a harmonised approach to automated vehicle safety assessments, for example); (c) proposing new safety features for automated vehicles (by amending current regulations and directives on motor vehicle and road infrastructure safety); (d) addressing liability issues, ensuring cybersecurity, data protection and data access; (e) and exploring the implications of automated mobility on society and the economy (with a view to determining whether regulatory measures are needed to address the possible negative impacts).

The Internet of Things (IoT) includes a wide range of Internet-connected devices, from highly digitalised cars, home appliances (e.g. fridges), and smart watches, to digitalised clothes that can monitor health. IoT devices are often connected in wide-systems, typically described as 'smart houses' or 'smart cities'. Such devices both generate enormous amount of data and create new contexts in which data are used. IoT triggers a multitude of policy issues, from standardisation to protection of privacy.

When we say that Internet helps us to connect we also implicitly refer to the fact that some of our devices can be connected and transfer data among themselves. Primarily, we are thinking about computers, mobile phones, tablets, e-readers. But what if every device we use on a daily basis, such as transportation vehicles, home appliances, clothes, city infrastructure, medical and healthcare devices, can connect via the global network to a remote center or to other device? This gives the term ‘connected’ a different, broader meaning.

This is the general idea behind the IoT, a network of physical objects or ‘things’ connected via electronics, software, and sensors to exchange data with manufacturers, operators, or other connected device. The main objective is to achieve greater value or service. IoT devices use the present Internet structure, not a separate/different Internet.

The most common sensors currently used for IoT device communication are radio frequency identifiers, universal product codes, and electronic product codes. In addition, researchers are continuously exploring new modalities for connecting IoT devices, such light emitting diodes (LEDs).

Some of the most developed IoT industries include home automation, health monitoring, and transportation. Other industries where IoT is playing a prominent role important role are energy, infrastructure, agriculture, manufacturing, and consumer applications.

In general terms, the IoT in increasingly seen as having a significant development potential, that can contribute to achieving the sustainable development goals (as underlined in an ITU–Cisco Systems report from 2016, and at various sessions held at the IGF 2016 meeting).

Even if the size of a single piece of data generated by connected Iot devices could be quite small, the final sum is staggering due to the number of devices, estimated to reach between 20 and 100 billion by 2020. According to the International Data Corporation, by 2020 the ‘digital universe’ will reach 44 zettabytes (trillion gigabytes), and 10% of this amount would come from IoT devices.

Public and private initiatives

The business sector is leading major IoT initiatives. While companies such as Intel and Cisco continuously develop their portfolios of IoT services, telecom operators have started to deploy IoT-dedicated networks on large scale, to encourage the use of IoT. Moreover, companies from different sectors are joining forces in alliances aimed at further contributing to developments in the field of IoT. Examples include the Open Connectivity Foundation, whose aim is to contribute to achieving interoperability among IoT devices, and the LoRa Alliance, which works in the field of IoT standardisation.

Governments are also becoming more and more aware of the opportunities brought by the IoT, and they are launching various types of initiatives in this area. The European Union, for example, has initiated the Horizon 2010 Work Programme 2016 -2017: Internet of Things Large Scale Pilots for testing and deployment, a funding programme aimed to encourage the take up of IoT in Europe. In the USA, the Department of Commerce has issued a Green Paper on Fostering the Advancement of the Internet of Things, and is exploring a potential role (and related benefits and challenges) for the government in supporting the evolution of the IoT field. The Chinese government, on the other hand, has created the Chengdu Internet of Things Technology Institute, through which it funds research in various IoT-related areas.

IoT, data protection, and security

The IoT generates massive amounts of data, and this has triggered major concerns related to privacy and data protection. Some IoT devices can collect and transmit data that are of personal nature (e.g. the case of medical IoT devices), and there are concerns about how the devices themselves are protected (ensuring their security), as well as about how the data they collect is processed and analysed. While information transmitted by an IoT device might not cause privacy issues, when sets of data collected from multiple devices are put together, processed, and analysed, this may lead to sensitive information being disclosed.

IoT devices are increasingly used as tools in large cyber-attacks, bringing the security of such devices into sharper focus. One notable example is from October 2016, when a series of distributed denial of service (DDoS) attacks against Dyn Inc., a large Domain Name System hosting and DDoS‐response provider serving top online service providers, rendered many services – including Twitter, PayPal, Reddit, and Spotify – temporarily unavailable, and slowed down Internet traffic across the globe. In the context of ongoing debates on the responsibility that the private sector should take when it comes to IoT security, companies have started to launch initiatives in this area. In one such example, AT&T, IBM, Nokia, Palo Alto Networks, Symantec, and Trustsonic have formed the IoT Cybersecurity Alliance, with the aim to ‘help customers address IoT cybersecurity challenges, demystify IoT security, and share best practices’. At the same time, standard-setting organisations are more carefully looking into developing IoT security standards. Despite such initiatives, there have been calls for governmental intervention, with security experts arguing that the private sector is not sufficiently motivated to appropriately address IoT security concerns, and that regulations and public policies are needed to cover issues related to security standards, interoperability, and software updates requirements.

IoT, big data, and artificial intelligence

Ongoing developments in the field of automated systems (i.e. self-driving cars, medical robots, etc.) bring into light an increasingly important interplay between IoT, artificial intelligence (AI), and big data. Artificial intelligence, a field that undergoes a very fast development, provides ‘thinking’ for IoT devices, making them ‘smart’. These devices, in turn, generate significant amounts of data – sometimes labeled as big data. This data is then analysed and used for the verification of initial AI algorithms and for the identification of new cognitive patterns that could be integrated into new AI algorithms.

While this interplay presents an enormous business potential, it also brings new challenges in areas such as the labour market, education, safety and security, privacy, ethics and accountability. For example, while AI systems can potentially lead to economic growth, they could also generate significant disruptions to the labour market. As AI systems involve judgements and decision‐making – replacing similar human processes – concerns have also been raised regarding ethics, fairness, justice, transparency, and accountability. The risk of discrimination and bias in decisions made by autonomous technologies is one such concern, very well illustrated in the debate that has surrounded Jigsaw’s Conversation AI tool. While potentially addressing problems related to misuse of the Internet public space, the software also raises a major ethical issue: How can machines determine what is and what is not appropriate language?

Such challenges have determined both governments and the private sector to take several steps. The US National Science and Technology Council outlined its strategy for promoting AI research and development, while the White House made recommendations on how to prepare the workforce for an AI‐driven economy. The UK Parliamentary Committee on Science and Technology asked the UK government to take proactive measures. In the European Parliament, the Committee on Legal Affairs proposed the adoption of an EU ‘legislative instrument’ to tackle legal questions related to the development of robotics and AI, as well as the introduction of ‘civil law rules on robotics’. In the private sector sphere, major Internet companies (IBM, Facebook, Google, Microsoft, Amazon, and DeepMind) have launched the Partnership on Artificial Intelligence initiative, aimed at addressing the privacy, security, and ethical challenges of AI, and initiating a broader societal dialogue on the ethical aspects of new digital developments.

Actors

In line with its objective of supporting the development of the IoT ecosystem in Europe, the Alliance mostly f

...

In line with its objective of supporting the development of the IoT ecosystem in Europe, the Alliance mostly focuses on developing policy recommendations on issues of relevance for the IoT, and facilitating the adoption of such recommendations across its members. The various working groups created within the organisation have produced reports and recommendations focusing on issues such as smart manufacturing, wearable technologies, smart mobility, smart cities, food safety IoT applications, and smart living environments. In November 2016, the Alliance issued a set of policy recommendations on the Digitisation of European industry, addressing IoT-related policy issues, including trust, numbering and addressing, the free flow of data, and liability.

The Alliance focuses its work on standardising and promoting the deployment of Low Power Wide Area Networks (L

...

The Alliance focuses its work on standardising and promoting the deployment of Low Power Wide Area Networks (LPWAN) as a key enabler of IoT applications. It has developed the LoRa protocol (LoRaWAN), aimed at facilitating interoperability among IoT devices. In addition, it has launched the LoRa Alliance Certified programme, designed as a mark of recognition that IoT products meet national frequency regulations, and ensure LoRaWAN interoperability and compliance of network infrastructure. Members of the Alliance collaborate and share knowledge and experience to guarantee interoperability among their products. The organisation has produced several white papers on issues such as the market potential of LPWA technologies and LoRaWAN security.

The Foundation dedicates most of its work to creating specifications for seamless interoperability among IoT c

...

The Foundation dedicates most of its work to creating specifications for seamless interoperability among IoT connected devices. The developed OIC specification tackles issues such as the core architecture, interfaces, and services, security, and smart home devices, among others. Additional specifications are under ongoing development and review. The Foundation also sponsors the IoTivity project, aimed to deliver an open source reference implementation of the IoT interoperability specifications it is developing. In addition, it runs certification programmes aimed to provide real world testing to help developers ensure that their IoT products work.

More and more standards and guidelines developed by ISO cover issues related to data and information security,

...

More and more standards and guidelines developed by ISO cover issues related to data and information security, and cybersecurity. One example is the 27000 family of standards, which cover aspects related to information security management systems and are used by organisations to keep information assets (e.g. financial data, intellectual property, employeesâ information) secure. Standards 27031 and 27035, for example, are specifically designed to help organisations to effectively respond, diffuse and recover from cyber-attacks. Cybersecurity is also tackled in the framework of standards on technologies such as the Internet of Things, smart community infrastructures, medical devices, localisation and tracking systems, and future networks.

The ITU Telecommunication Standardization Sector (ITU-T) develops international standards (called recommendations) covering information and communications technologies. Standards are developed on a consensus-based approach, by study groups composed of representatives of ITU members (both member states and companies). These groups focus on a wide range of topics: operational issues, economic and policy issues, broadband networks, Internet protocol based networks, future networks and cloud computing, multimedia, security, the Internet of Things and smart cities, and performance and quality of service. The World Telecommunication Standardization Assembly (WTSA), held every four years, defines the next period of study for the ITU-T.

The IEC carries our standardisation and conformity assessment activities covering a vast array of technologies. These range from smart cities, smart grids, and smart energies, to electromagnetic compatibility between devices, digital system interfaces and protocols, and fibre optics and cables. Other areas covered by the Commission through its work include cable networks, multimedia home systems and applications for end-user network, multimedia e-publishing and e-book technologies, safety of information technology and communication technology, wearable electronic devices and technologies, cards and personal identification, programming languages, IT for learning, education, and training, cloud computing and distributed platforms, and the Internet of Things.

Instruments

Standards

The concept of 'Internet of Things' (IoT) generally refers to a network of interconnected physical and virtual devices or objects that use the Internet to exchange data with manufacturers, operators, and among themselves. IoT applications can be found in areas such as transportation, energy, home appliances, medical and healthcare devices, environment, retail, and agriculture.

A more formal definition of the Internet of Things has been elaborated in the framework of the Telecommunication Standardization Sector (ITU-T) of the International Telecommunication Union, and published in the Recommendation ITU-T Y.2060 ‘Overview of the Internet of things’ (adopted in June 2012). According to this recommendation, the Internet of Things represents ‘a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies. The recommendation also provides a technical overview of the Internet of Things, and outlines the fundamental characteristics (such as interconnectivity, heterogeneity, and dynamic changes) and high-level requirements (such as identification-based connectivity, interoperability, autonomic networking, privacy, and data protection) of the IoT. In addition, the IoT reference model is explained, and details are provided on its components: the four layers (application, service and application support, network, and device), as well as management and security capabilities.

The Recommendation ITU-T Y.2060 is a result of the work carried out by the ITU-T Study Group 13, which is responsible for developing standards and recommendations covering future networks, including cloud computing, mobile, and next-generation networks. While the scope of this group continue to include IoT related issues (such as support of IoT in next generation networks), more specific IoT standardisation work is now carried out within the ITU-T Study Group 20 (created in 2015), whose initial focus is on IoT applications in smart cities and communities.

The increasing availability of IoT devices and applications, and their expansion into new areas are expected to bring significant advantages, but also challenges. Mitigating the security threats and weaknesses of IoT services, and ensuring the protection of privacy and personal data in the context of IoT data transmission are only two examples of such challenges, which are and will continue to be looked into carefully especially by the private sector and the technical community.

The interactive format of the session was explained and the audience was split into three groups representing the perspectives of the manufacturer, the user, and the policymakers when discussing the different aspects of the Internet of Things (IoTs);privacy, security, and economics.

The group on policymakingunder thefacilitation of Tropina, built their discussions around the experience of the UK government in supporting the research and development of IoT and engaging with businesses and citizens to advance UK leadership in IoT applicability. The goal of their initiative is to propose commercial incentives for manufacturers to ensure the development of IoT for healthcare services, transportation and smart cities. The group came to the idea that privacy and security by design should be a priority for IoT devices and software. However, policymakers should work with the industry to set standards at the global level to ensure a cross-border flow of IoT technologies and devices, and most importantly, to prevent counterfeit which would endanger security and privacy tremendously. For this reason, it would be good to involve international standardisation organisations. Finally, the group agreed on the necessity to find reliable metrics for checking the progress of IoT deployment and how it really contributes to economic growth.

The second group’s discussion was led by Koch and focused on the manufacturer’s perspective, with most of the discussion being on security. However, as businesses, their foremost priority is to sell products, and it was roughly agreed that economics was the driving factor behind having security or privacy on the agenda for IoT manufacturing. Following the roll-out of the General Data Protection Regulation (GDPR), privacy and security became an economic consideration as well. Since businesses mainly run on consumer/user demand, the group also argued that demanding security was the consumer’s responsibility at the end of the day. The layers of security, from the design and manufacturing of the microchips to software, were discussed, and companies who take on all layers of production were mentioned as examples of efforts to increase product security. Another point made was that the IoT was not only there for end users and was not always connected to the Internet, but a big part of the industry was built upon business to business applications for logistics, manufacturing, transportation, environmental monitoring, industries and so on.

The third group focused on the user’s perspective andstarted the discussion by trying to formulate the questions that they saw as relevant to making informed decisions relating to connected products and devices, whether security was a concern, and how a consumer can learn about quality and security when it comes to devices whose technical functioning is not necessarily intuitive. Some of the other points raised by the discussion group include:

One of the key topics was whether users were ready to pay more for secured IoT devices, and participants agreed that price was a relevant component but not the only issue to be considered.

Information regarding the safety and security of connected devices need to be clear, objective and intelligible for non-experts,an excessive burden on vulnerable users who normally lack the necessary expertise will not improve the overall cybersecurity environment.

Whether through formal certification or informal mechanisms, users want devices to be tested and the results publicised, so as to ensure diversity and confrontation of views, as well as diversity of sources that are independent and, if possible, officially verifiable.

Children’s toys and devices may be a good starting point to raise awareness regarding the importance of privacy and security of connected devices, since people to tend to raise their concerns and awareness efforts when these interests are at stake.

The session continued with discussions comparing the messages and perspectives of policymakers, users and manufacturers. The question of the responsibility for security was debated in depth. Users put economics over security, which determine sector trends in IoT so education and awareness should be a priority. A solution can be that governments impose security by design on manufactures which would solve the security issue. Another important point to consider is imported products; is it a solution to tightly regulate imported IoT and have certifications? Participants from a technical background stressed that security is not a state, it constantly evolves, which poses an issue on who is responsible of security issues. In 10 or 20 years, if a manufacturer is long gone but the products are still in use who will governments and users address? Industry set standards can be a solution to these issues just like the CE standards for various products.

Final remarks included that current disclosures and disclaimers that come with connected devices were not sufficient. Additional regulation to the existing privacy regulation will likely be needed for the IoT. And in the near future, if there is a lack of consideration for privacy and security in the IoT, they may simply not be allowed on the European market.

Articles

The report outlines data security threats and concerns in emerging cloud, big data and Internet of Things technologies. Based on the results of a global survey conducted among over 1100 senior security executives, the report identifies the following as the main data security concerns: security breaches/attacks, increased vulnerability from shared infrastructure, lack of control over the location of data, privacy violations from data originating in multiple countries, protecting sensitive data generated by IoT.

Publications

The latest edition of glossary, compiled by DiploFoundation, contains explanations of over 130 acronyms, initialisms, and abbreviations used in IG parlance. In addition to the complete term, most entries include a concise explanation and a link for further information.

The book, now in its sixth edition, provides a comprehensive overview of the main issues and actors in the field of Internet governance and digital policy through a practical framework for analysis, discussion, and resolution of significant issues. It has been translated into many languages.

Reports

The report outlines predictions of the development of the technology, media, and telecommunications sectors in 2017. It covers issues such as: biometric security, distributed denial of service attaches, self-driving vehicles, 5G networks, machine learning, and Internet of Things as a service.

The report, prepared by the Global Commission on Internet Governance, outlines a series of recommendations to policy makers, private industry, the technical community and other stakeholders on modalities for maintaining a ‘healthy Internet’. It tackles aspects such as: the promotion of a safe, open and secure Internet, human rights for digital citizens, the responsibilities of the private sector, safeguarding the stability and resiliency of the Internet’s core infrastructure, and improving multistakeholder Internet governance.

The report looks into how the Internet of Things is issues to address social, economic, and business challenges, discusses factors that accelerate the adoption of the technology, and points to IoT security and privacy related challenges. It also makes recommendations for how business and consumers can derive the most benefit from IoT in the following two years.

The report analyses the opportunities that homes equipped with Internet of Things connected devices offer to society, as well as at the security and privacy risks inherent to such devices. It also provides a series of recommendations on how to maximize the value of IoT home devices, while minimising concerns.

The paper provides an overview of the mobile network ecosystem in 2015, and presents a series of projections and growth trends in the mobile data traffic. A continuously growing adoption of mobile technologies by end users is predicted, and it is expected that this will make the Internet of Everything more sustainable.

This report examines and documents evolutions and emerging opportunities and challenges in the digital economy. It provides a comprehensive overview of the digital economy, including matters of infrastructure, policy, net neutrality, development, privacy and security.

The report explores how Internet of Things applications (can) create value for companies, consumers, and economies, and discusses enablers and barriers in this regard, as well as new business models and a new tech market for IoT.

The report explores the emergence of the Internet of Things connected homes’, analyses consumers’ demand and adoption, and outlines several steps that the industry and the policy makes can take to ensure that IoT can realise its full potential in improving people’s lives.

The report explores the transformative potential of the industrial Internet of things, and analyses opportunities and benefits deriving from IoT connected products, as well as risks and challenges associated with the evolution of the technology. It also outlines a number of recommendations aimed to accelerate the overall IoT development.

GIP event reports

Cybersecurity and privacy represent two interconnected aspects. Legal frameworks are mandatory in any cyber context because of the amount of personal information that needs to be protected while keeping up with the speedy evolution of technologies. Data is essential for Internet of Things (IoT) devices; indeed, by 2025, there will be over 20 billion connected devices. The session was moderated by Mr Marcin Cichy (President of the Office of Electronic Communications (UKE) of Poland). It focused on privacy considerations within the context of artificial intelligence (AI) and IoT, including references to the General Data Protection Regulation (GDPR).

The first speaker was Mr Mohammad N. Azizi (Chairman of the Afghanistan Telecom Regulatory Authority (ATRA)). He explained how the information technology landscape is in constant evolution and how most of data is generated from online and offline platforms. Thus, IoT will further transform the way we think about data and the way we use it. With the application of AI to IoT devices, the cybersecurity aspect becomes a crucial one. As a result, law enforcement agencies and regulators cannot work in silos, they need to work together. Regulators need to focus on how data is collected, while law enforcement should focus on how the data is used. Collaboration is necessary for going forward.

The second speaker, Mr Giampiero Nanni (Government Affairs of Symantec) talked about the impact of privacy in the context of Shadow IT, defined as information technology systems that live inside an organisation without explicit organisational approval. Thus, privacy issues are raised when dealing with data put into the cloud through these applications. Finally, he further argued that IoT is a ‘time bomb’ because it does not have provisions in terms of security.

The third speaker, Mr Aaron Kleiner (Director, Industry Assurance & Policy Advocacy at Microsoft) spoke from a deep industrial perspective explaining how technology companies think about security and adding Microsoft’s experience as an example. He argued that a change in people’s mindset is needed: approaches need to move from a security bolt at the end of production – to putting security in the core of production. In addition to that, an operational assurance framework should be put into consideration. Over the years, societal technology reliance reached policymakers. From the technology sector’s perspective, it is up to them to understand how to improve cybersecurity. In regards to this, he recalled Microsoft’s publication, The Future Computed: Artificial Intelligence and Its Role in Society. He finished his argument by stating that there is a need for time to identify and articulate the key principles of making AI, and enabling people to achieve more. The tech industry is collaboratively looking at AI. To this extent, a public-private dialogue should be fostered. With regards to the GDPR, he argued that it has a significant impact on the private sector, arguing that privacy represents the foundation for trust between the private sector and consumers.

The fourth speaker, Mr Luigi Rebuffi (Secretary-General of the European Cybersecurity Organization (ECSO)) argued that a right balance between monitoring activities and cybersecurity does not exist. It depends on various aspects, such as the cultural environment. Recently, surveillance has switched from physical surveillance to digital surveillance of data and information. He stated that it is a kind of surveillance that we, as citizens, are providing to society. Moreover, society will evolve with the increase of connected devices. With regards to privacy, a recurrent, still open question is: does privacy still exist? There is a need to find a pathway for the balance between the increase of security and the correct use of data. Furthermore, there is a need to educate both protectionists and also, citizens.

The fifth speaker, Ms Raquel Gatto (Regional Policy Advisor of the Internet Society (ISOC)) recalled ISOC’s publication the 2017 Internet Society Global Internet Report: Paths to Our Digital Future. She explained that the research identified six different drivers: cyber threats; AI; IoT; the role of governments; network standards; and Internet economy. Despite the apocalyptic view about jobs that will be lost, there is room to be optimistic: technological evolution can be used for better social development. With regards to cybersecurity, it has to be considered during the first stages of development, and it is up to regulators to change this mindset. She argued that this is already happening in the case of the IoT framework of the Online Trust Alliance (OTA). However, work should also be done on the prevention side. Finally, she concluded her speech by trying to answer the question ‘does privacy still exist?’ She argued that yes, it does, and it is about being aware of your data. Thus, no law will bring a definitive solution, but an efficient way to achieve privacy is to a collaborative by all stakeholders.

The sixth speaker was Mr Ivo Lõhmus, Vice President Public Sector of the Guardtime AS, who talked about the use of blockchain in the implementation of the use of data. He explained how blockchain technology works and explained that one important feature of blockchain is the immutability of data. As a result, this can have negative implications with regard to human rights such as the right to be forgotten.

The final speaker was Mr Vincenzo Lobianco (Chief Technology and Innovation Officer
(Autorità per le Garanzie nelle Comunicazioni) of Italy). He talked about the Italian experience in terms of a best practice example. There is a new paradigm in place: the use of IoT means that several different actors are involved in the collection and elaboration of data. They all have a common feature: they need a communications infrastructure to send data directly to the centre, to the cloud. The telecom regulator has to understand the need for working with different sectors. In conclusion, he gave three main examples of collaboration: the energy sector with smart metering; the transportation authority; and finally, the large investigation of big data and economy.

This side event introduced the StaTact toolkit, developed by UN Institute for Training and Research (UNITAR) and the UN Statistics Division (UNSD) to assist governments in solving measurement problems related to the 2030 Agenda. Mr Nikhil Seth (Assistant Secretary-General of the UN and Executive Director of UNITAR) highlighted current gaps in the methodology and data needed to monitor sustainable development goal (SDG) indicators, which provide challenges even for advanced statistical offices. Seth explained that StaTact aims to help countries identify and respond to such measurement challenges.

Mr Stefan Schweinfest (Director of the UN Statistics Division) called for greater focus on capacity building to enhance financial, human, and institutional capacity for monitoring the SDGs. In this context, there is a need to improve the organisation and management of statistics and develop integrated national and sub-national development programmes with a strong focus on data, especially in least developed countries. StaTact provides an opportunity to support such programmes with strengthened statistical systems.

Mr Einar Bjorgo (Director, Division for Satellite Analysis and Applied Research, UNITAR) provided an overview of the development of StaTact, which was born out of a partnership between UNITAR and UNSDm and involved consultations with UN country teams and regional commissions, before going into a process of iterative design and pilots to improve its functionality. The tool takes a tactical approach to allow for quick solutions to practical measurement problems, rather than offering long-term strategic support.

Ms Elena Proden (Specialist, Strategic Implementation of the 2030 Agenda, UNITAR) elaborated on the use of the tool, which includes multistakeholder workshops that aim to develop a realistic action plan that can be implemented within 6-12 months. She highlighted that the tool is particularly useful when there is no national strategy, when there are obstacles impeding the implementation of strategies, and when current strategies need to be reviewed or redirected. In addition, the tool ensures the alignment of statistics with SDG indicators and promotes a bottom-up approach to the localisation of these indicators.

Mr Gabriel Gamez (Inter-regional Adviser at the UN Statistics Division) emphasised the value of statistics in converting raw data into information and knowledge that can be communicated to decision-makers. In this process, it is important to be agile and flexible in the design of statistical models while standardising the collection, analysis, storage, and dissemination of statistics. Noting the value of independent and objective official statistics, he explained that the UN General Assembly has put official statistics at the core of the SDG indicator framework (see A/RES/71/313). To be able to meet this challenge, national statistical offices need to modernise and strengthen their infrastructure, know-how, and management. StaTact helps statistical offices to identify quick wins that can help them move forward in their transformation.

Throughout the pilots, the greatest obstacles for national statistical offices seem to be related to interoperability, coordination, granularity and methodology; and solutions have been found in the establishment of coordinating groups, the exchange and access to non-traditional data, the development of new approaches, and the improvement of management support and finance.

Following the introduction of StaTact, three representatives of statistical offices shared their experience in using the tool. Mr Iwan A. Sno (Director of the General Bureau of Statistics of Suriname) explained that the tool has been useful to raise awareness and encourage action, to improve communications, and to assess gaps in statistical frameworks, although there are certain technical elements that could be improved. Mr James Muwonge (Director of Socio-Economic Surveys at the Uganda Bureau of Statistics) explained how the tool has been useful in identifying the need to harmonise different interpretations in the measurement of youth employment and develop a common definition. Mr Tchaou Meatchi (Director of Planning and Development Policies of the Ministry of Planning of Togo) presented the ways in which the tool helped to identify an action plan to address the lack of disaggregated data on undernourishment in Togo. Closing the session, Gamez expressed the hope for the tool to become ‘fully accessible and universal’.

This high-level roundtable brought together experts from academia to present the ITU BDT AI For Development Series, highlighting its key findings and recommendations. It was moderated by Ms Régina Fleur Bessou Assoumou (Chair of the ITU-D Study Group 1) who introduced the panellists by asking about the key issues that can be encountered when dealing with policy makers.

The first panellist, Dr Urs Gasser (Executive Director of the Berkman Klein Center for Internet & Society at Harvard University and Professor of Practice at Harvard Law School), argued that policy makers and regulators are wrestling with how to approach the next wave of technology. Recurrent issues are the asymmetry of information and siloed conversations, and solutions that benefit everyone need to be considered. Questions about inclusiveness and the future of jobs should be part of the conversation, as well as discussion on the governance instruments available.

The second speaker, Dr Gyu Myoung Lee (Adjunct Professor at KAIST) spoke about the use of data, algorithms and blockchain. In order to provide convenient and smart services, the application of AI is essential. Thus, there is a need for new ecosystems that facilitate data sharing. Moreover, concerns over technical issues and about trust related to the use of blockchain need to be addressed.

DrMichael Best (Director of the United Nations University Institute on Computing and Society (UNU-CS), Professor, Sam Nunn School of International Affairs and the School of Interactive Computing, Georgia Institute of Technology) argued that AI inevitably falls under ethical and social implications. Thus, ethicists on the cutting-edge of AI are needed. Moreover, there is a critical need for a robust information sharing infrastructure.

AI creates both opportunities and risks; however, the best way to address these challenges is to have a fair and diverse all-round discussion.

The second day of the Global Symposium of Regulators started with the opening remarks of Mr Houlin Zhao (ITU Secretary-General) who talked about regulation in relation to the digital economy. The agenda then moved to the leadership debate. It brought together leaders and experts to discuss the challenges of using artificial intelligence (AI) as well as the opportunities it brings, and how emerging technologies are expanding regulatory frontiers to new horizons. The role of policy makers and regulators is being questioned by digital transformation and the new categories of digital opportunities. This session explored the opportunities of AI for improving services such as e-government. With this opportunity in mind, it is necessary that regulators are able to address the different concerns related to the changing landscape, by identifying both the challenges and opportunities. The session was moderated by Mr Brahima Sanou (Director of International Telecommunication Union, BDT) who introduced the session topic by underlining the ‘huge’ opportunities of emerging technologies, while pointing out the need for awareness.

The first speaker, Mr Sorin Grindeanu (President ANCOM (Romania) and GSR-18 Chair), talked about 5G technologies and the spectrum allocation for implementing them. He used the example of Romania drafting its 5G strategy to highlight that the rapid growth of wireless broadband requires a wireless electronic communications network. Millions of people will be connected, and a new range of applications will be available. The regulation process has to be able to harmonise standardisation.

The second speaker, Mr Ajit Pai (Chairman of the Federal Communications Commission (FCC) of the United States), recalled that the term ‘artificial intelligence’ was coined sixty years ago by Prof. John McCarthy in his research to find a machine that could reason like a human; indeed, he believed that ‘to proceed on the basis of the conjecture that every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it’. Speaking about the opportunities created by AI, he mentioned an FCC project to develop new technology to assist people living with disabilities, and Seeing AI, one of this year’s winners. It is an app by Microsoft that uses AI and deep learning tools to narrate the visual world with spoken audio or real-time text for those with visual impairment. Pai said that he recognises that AI is changing every social and economic aspect of our society. With this in mind, the FCC will hold a forum on the impact of AI and machine learning in the communications market. He then proposed some guiding principles that would set the stage for a policy environment that encourages the development of new technologies and high-speed networks. First, regulatory humility is needed to avoid new technology being forced into old frameworks. Second, governments should facilitate innovation and investments. Third, making the spectrum for wireless services free and available for flexible use. Finally, make the access to new technology universal.

The third speaker, Mr Mahmoud Mohieldin (Senior Vice President of the World Bank Group), argued that there is a need for strategy and policies to deal with opportunities and challenges of information technology. He added three examples of resistance to change and resistance to technology: the reaction of the former Mexican President, Santana, who was against the introduction of steam engines; England’s prohibition of automated machines in sock production; and the initial concerns about Jakar machines. He then moved to more recent successful example – the M-Pesa mobile phone payment system – used in Kenya. His main point was that at the moment, it is enough to have one specific strategy. There is a need for a global and comprehensive approach and strategy. He introduced the three ‘Bs’ concept: building, boosting and brokering through the implementation of public-private partnerships. Finally, he talked about some positive applications of emerging technologies, such as big data for social good and the IT4D.

The fourth speaker, Ms Anastassia Lauterbach (Author of ‘The Artificial Intelligence Imperative’, and International Technology Strategist Adviser and Entrepreneur), argued that AI is one of the most powerful technologies. Indeed, she pointed out that among the ten top companies in the world, five are ‘AI first’: Google, Facebook, Microsoft, Apple and Amazon. The ‘AI first’ feature can be defined as the focus on investing in their own semiconductors to provide hardware capabilities for data mining. These companies are investing in fundamental AI research. She talked about three main risks than could be encountered while dealing with AI: design mistakes – biases in technology reflecting the technology’s creator; malicious intent – unethical behavior of the system; and, the absence of humans in the collecting and analysing of data. This led her to address concerns over the ethics of AI, related to the governance of AI safety, the decision-making guidelines for autonomous systems, the incentive design for autonomous systems, and the goal alignment between autonomous agents and humans. Finally, she concluded her speech by discussing social governance in AI, which includes actors such as municipalities, schools, AI companies and organisations.

The session was closed by Dr Kemal Huseinovic (Chief of the Department of Infrastructure, Enabling Environment and E-Applications at the ITU/BDT). He argued that everything we love about civilisation is a result of human intelligence; and AI can foster that. The more we rely on technology, the more we need to trust this technology and the question on how we can ensure this trust is not only essential, but it raises ethical issues that require the engagement of policy makers.

The Opening Session of the 2018 Global Symposium of Regulators (GSR-18) began with speeches from Mr Brahima Sanou (BDT Director of the International Telecommunication Union (ITU)), Mr Sorin Grindeanu (President of the National Authority for Management and Regulation in Communications (ANCOM) of Romania, and Chair of the GSR-18), Ms Nerida O'Loughlin (Chair and Agency Head of the Australian Communications and Media Authority), Mr Mahmoud Mohieldin (Senior Vice-President of the World Bank Group), and Mr Manish Vyas (President of Communications, Media and Entertainment Business, and CEO of Network Services at Tech Mahindra). They introduced the topic of the symposium, New Regulatory Frontiers, by stressing the need to understand how Information and Communication Technologies (ICTs) and Internet of Things (IoT) devices can both change our daily life, as well as but pose important challenges. It is important to understand that the application and implementation of new technologies challenges everything in the daily life of people and businesses.

Session 1:AI and Cybersecurity – The State of Play

The first session of the Global Symposium of Regulators (GSR) focused on emerging technologies such as Artificial Intelligence (AI), both in terms of emerging threats and vectors strengthening and improving the effectiveness of cyber-attacks. The session was moderated by Mr Joe Anokye (Director-General of the National Communication Authority (NCA) of Ghana) who introduced the discussion by exploring the current situation, and the relationship between AI, the Internet of Things (IoT) and cybersecurity. For instance, according to Anokye, AI should be considered with regards to its application in IoT devices: AI allows IoT’s devices to be intelligent. However, attention should also be given the occurrence of cyber-attacks. In the past two years, these attacks have increased. As a result, questions are arising related to the regulation of technologies that are still hard to understand.

The first panellist was Dr Kemal Huseinovic (Chief of the Department of Infrastructure, Enabling Environment and E-Applications, ITU/BDT). He talked about the dual use concept of AI. Indeed, AI can be used for good, as well as being the means for cyber-attacks. Thus, it is necessary to support research and engage with different stakeholders using a multistakeholder approach.

The second panellist was Mr Philip R. Reitinger (President and CEO of the Global Cyber Alliance). He argued that AI can improve the chances and abilities of the defender. To this extent, the notion of risk has to be contextualised. The risk of cyber-attacks is growing because of three factors: complexity, criticality and connectivity. The IoT is going to push these factors exponentially. He proposed thinking about security, not in terms of securing things, but in terms of securing the Internet and the network on which things work and are connected. He argued that the current use of the domain name system is a good way to protect IoT. Moreover, in the long term, there is a need for strong authentication, use of automation, and interoperability.

The third panellist was Mr Manish Vyas (President of Communications, Media and Entertainment Business, and CEO of Network Services at Tech Mahindra). He followed the line of the previous argument: using AI to enable IoT systems. Currently, there is consensus on taking advantage of technology and balancing its negative implications. He further argued that ‘the world of innovation has changed – has changed for good and forever’. However, there is a need to gain the trust of intermediaries.

The fourth panellist was Ms Giedre Balcytyte (International Development Director NRD Cyber Security). She started her speech by explaining the concept of cyber resilience and how essential it is to have infrastructure in place, to rely on for resilient purposes. Technology is often used as a means for development and modernisation; however, it must be understood that technology does not tackle issues by itself. Moreover, in order to have an effective system in place, there is a need to emphasise the capacity of the organisations and to understand that knowledge has to move and adopt faster.

The fifth panellist was Mr Serge Droz (Director of the Board Forum of Incident Response and Security Teams). He talked about the danger of the evolution of large scale attacks and the effects they could have. The human component in the management of response situations has to be implemented; and it has to be implemented through collaboration on a large scale. Indeed, it is necessary to communicate because of the global scale and extension of the various issues.

The sixth panellist was Mr Neil Sahota (IBM Master Inventor and WW Business Development Leader IBM Watson Group) followed along the same lines. He stated that risk does not necessarily have a negative connotation and that the main danger we should consider is whether there is a possibility of creating AI that is the ultimate hacker.

The final speaker was Mr Aleksandar Stojanovic (Executive Chairman and Co-Founder AVA). He argued that the missing key element to collaboration is trust. The market is more and more fragmented, and the combination of AI and technology is to some extent extremely new. Thus, the question of trust is migrating to the hardware level. There is a need to trust the impressive amount of information and data coming in. Ensuring the trustworthiness of information will become the pillar of trustworthy AI.

Replying to questions from the audience, the panellists argued in favour of a regulatory framework that merges bottom up and push down approaches, stating that a micro regulatory framework for technology would be dangerous. Moreover, further issues discussed were the concept of trust and interoperability of devices; and the fact that a framework does not necessarily have to come from the regulatory side, but it could also be from the market side.

The final session of the day brought together experts from the private and public sectors and academia. The focus of the session was to identify the next steps that have to be taken in order to improve national policies and strategies, create opportunities to implement ICT services for citizens, and generate social impact and economic development.

The session featured the speeches of Mr Mika Lauhde (Vice President Cyber Security & Privacy of Global Public Affairs, Huawei Technologies Co., LTD), Mr Dan Tara (Vice President of Positive Technologies), Dr Ram-Sewak Sharma (Chairman, Telecom Regulatory Authority of India (TRAI) of India), who introduced the audience to the concept of ‘electronic consent artifact’, Mr Jacques de Werra (Professor of Contract Law and IP Law, Vice Rector of the University of Geneva), and Mr Alan Gush (Senior Director of Cyber Solutions, Comtech Telecommunications Corp.).

The private sector stressed the contradictory situtation in which – the regulators ask for secure networks – but do not provide exhaustive guidelines on how to achieve that. Operators are often not ready. From an academic perspective, the future of education is deeply connected with the future of work, and it is crucial to prepare students for the challenges they will face in the work environment. However, formal higher education could and should be complemented with self-study and certification.

The session was closed with a speech by Mr Yushi Torigoe (Deputy to the Director and Chief of Administration and Operations Coordination Department at the ITU). He stressed the need for collaboration between different stakeholders to effectively tackle emerging issues. He proposed a three pillar approach based on: corporation, collaboration and coordination, while highlighting and recalling the five pillars on which the ITU is based: legal, technical, organisational, capacity building and international.

The application of Artificial Intelligence (AI) for malicious purposes can increase the impact of cyber threats on information and communications technology (ICT) networks. However, AI can also be used to strengthen cyber defense and to improve cybersecurity and create new competences, skills and jobs. The second session of the GSR – 18 focused on the positive application of AI to strengthen the security of ICT infrastructures and services, while having a positive impact on the workforce and end users. The session was moderated by Mr Stephen Bereaux (Chief Executive Officer Utilities Regulation and Competition Authority (URCA) of the Bahamas) who introduced the panel, stressing that the key aspect in the regulatory mandate is to understand what these new technologies are, and how they will impact the regulatory frameworks.

The first panellist was Mr Benedict Matthey (Account Executive at Dark Trace). He explained how large organisations are already able to launch attacks; however, the increased availability of learning machines has made small organisations able to launch attacks as well. Thus, the complete visibility of all organisations’ devices is needed. To this extent, organisations need to make sure that it is clear what is going on in the network. The application of AI can enable humans to go beyond their limits: despite attackers using AI, defenders can also use it in tackling security issues because it saves time and is efficienct.

The second panellist was Mr Michael Nelson (Tech Strategy at Cloudflare). He talked about the misconception about AI and learning machines which results in ineffective and counterproductive policies. He talked about these misconceptions in terms of myths:

The term ‘artificial intelligence’ is often believed to be a useful term; however, its definition is too broad and refers to too many aspects.

One myth about the Internet of Things (IoT) is that it is different from the Internet. With regard to his, he argued on his Twitter account (@MikeNelson) that ‘We are not going to “fix” the IoT by replacing the Internet’.

There is a misconception about the possibility of controlling software; however, this is unpractical.

Regulating AI by controlling algorithms and making companies disclose their algorithms and software does not work. Software evolves minute by minute because of the amount of data that is put into it.

The need for standards and check-lists that define how IoT devices work with the relative proposal of implementing outdated security solutions for all devices should be considered as an additional cost and a subtraction of incentives for innovation.

The final misconception is that we need to create a global framework for securing IoT devices. However, an alternative solution is to rely on the ‘programmable cloud’ to create techniques for securing the different types of IoT applications. To this extent, the main key is the interoperability of devices.

The third panellist, Mr Graham Butler (Chairman at Bitek Global Limited) stressed that the quick evolution of the network means that we see 2.5 million attacks carried out every 20 minutes. Moreover, he underlined that rules on voice telecommunications exist and are applicable, while there are no rules on data. This results in an enormous loss of income. Moreover, policy and law enforcement actors are facing problems because of encrypted traffic: 50-60 % of attacks are encrypted and this creates challenges for law enforcement when it comes to prosecuting the attackers. He finished by saying that the World Wide Web in any country belongs to that country, and that it is that country’s duty to protect it.

The fourth panellist, Mr Ilia Kolochenko (CEO at High-Tech Bridge) argued that the purpose of using AI from a big firm’s perspective is based on the idea that AI technologies solve problems and diminish the costs. Thus, before trying to implement AI, it is important to understand its practical features within the context of the firm.

The fifth panellist, Mr Stefano Bordi (Vice President Cyber Security of Leonardo Company) argued that the cyber defense capability can be described by the coexistence of technology, procedures, processes and people. With regards to the activities of cyber defense centres, he stressed that the application of AI can be implemented in the prevention phase of the activities. Despite he fact that the cybersecurity aspect will always be ‘in front of the monitor’ and the control system, the new cybersecurity experts will need to change their competency package.

The sixth panellist, Ms Miho Naganuma (Manager Regulatory Research Office and Cyber Security Strategy Division at NEC Corporation) argued that in order to liberate AI, we need to face four issues: data, information, knowledge and intelligence. AI gives intelligence features to the devices it is applied to. Thus, for this intelligent part to support human activities, it needs to have broader views for solving issues. In line with the previous statement, he said that in the near future, many processes will be automatised, thus highly skilled people will be needed.

The last panellist was Mr Guido Gluschke (Co-Director of the Institute for Security and Safety, Brandenburg University of Applied Sciences). He started his speech by recalling the history of nuclear weapons and the relative discussion on the international level. He underlined that after the Stuxnet attack, nobody discussed the cybersecurity aspect of the topic. It took five years to make regulators feel confident in ruling about cybersecurity; yet, today there is still no clear understanding about cyber threats. In his closing, he advised including cybersecurity in nuclear security plans and then having a discussion on the topic. There is a need for regulators to understand the topic in its specificity and to act on a co-operative basis, by supporting nation states in the implementation of the policies. Education is a key factor and has to be implemented. Finally, a multistakeholder approach is necessary.

Mr Andy Bates, Executive Director, United Kingdom, Europe, Middle East & Africa, Global Cyber Alliance, introduced the Global Cyber Alliance, and then stated how cybercrime has overtaken normal crime in terms of economic value. Despite the increasing economic risk of cybercrime, he argued that ‘cybercrime is just crime’, pointing out that it is crime adapting to modern tools. In his opinion, the responses should not basically differ too much from the measures taken to address other forms of crime. He highlighted that cybercrime is usually serial in nature, with many criminals potentially using the same vulnerability and being repeat offenders. He discussed the human psychological aspect in the context of phishing and spoofing emails as well as structural issues with the Internet.

He presented a tool called DMARC, which enables individuals and companies to register domains that then establish a handshake between actors to monitor email trustworthiness. In addition, he presented the Internet Immune System, a blacklist given to top level Internet service providers (ISPs) to track pages which contain malware. He argued that ISPs should work towards cleaning up the internet for individuals.

Lastly Bates outlined future scenarios, focussing mostly on the importance of sharing of information across private and public sectors, together with measures that would seek to prevent duplication. In addition to this he mentioned how reporting about cybercrime could be centralised. As a concluding remark he pointed out that individuals need to use common sense and intelligence when addressing cybercrime.

Dr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, Geneva Centre for Security Policy (GSCP), gave a presentation which focussed on the issues and trends for future consideration in the field of cybersecurity. Firstly, he stressed that raising awareness needs to be a constant process. Due to its constantly changing nature, cybercrime should be seen as an emerging threat.

Lindstrom’s second point focussed on the key aspects of evolving technology and services which remain beneficial for us but also pose security challenges. He discussed many developments such as cloud computing, as the cloud is an attractive target for attacks. He described how the cloud can be used to hide malware. In addition to cloud computing, he mentioned how big data, through injecting false data, poses security threats in addition to the privacy issues. He also discussed the issue of 3D printing which can be used to circumvent existing measures, while providing potentially dangerous tools. Circumventing existing measures is also a risk posed by distributed ledger technologies. As a final aspect of this, artificial intelligence and machine learning, despite their ground-breaking advantages, run the risk of being misused and compromised.

The Internet of Things (IoT) can provide benefits, but it also opens the door for many new potential threats. Lindstrom pointed out how the shift in states’ cyber defence and offence poses a challenge. He argued that an increasing number of countries have developed capabilities to move from defence to offence, with roughly 30 countries having dual capabilities, but this number is hazy as is the boundary between defence and offence. As such, Lindstrom suggested, offensive cyber operations will likely increase and cyber weapons might be updated at a fast pace, especially in terms of delivery mechanisms. As a final point, while there are differences in state capabilities, all countries will try to seek to utilise zero-day vulnerabilities to their advantage. He then concluded his presentation by pointing out the increasing role of the private sector in the field, which is not only due to financial aspects but also due to the proliferation of public-private partnerships.

The launch of the Geneva Digital Talks series – organised by the Canton of Geneva – gathered around 80 representatives from the technical, governmental, business, not-for-profit and academic communities. The speakers included representatives from the Canton of Geneva, the International Committee of the Red Cross (ICRC), the EPFL’s School of Computer and Communication Sciences, Deutor Cyber Security Solutions, the Federal Department of Foreign Affairs (FDFA), the University of Geneva, FONGIT (Geneva's high-tech start-up incubator), and the Geneva Internet Platform (GIP). The key messages of the launch event revolved around the need to understand cybersecurity in a multidisciplinary way.

At the start of the discussions, we were reminded that Geneva is, above all, a platform of dialogue and a place for finding sustainable solutions. Moreover, Geneva has a reputation as an ecosystem for stakeholder engagement, where the digital discussions can be people-focused.

Security is key to modern societies, but it was not originally built into the Internet. Addressing it now is comparable to repairing a plane while flying it. To understand the issue, the discussions followed the journey of an Internet data packet that crosses national borders, that is vital to digital economy and innovation, and is ultimately crucial in high-level negotiations impacting a number of sectors.

The interplay between the Silicon Valley as a place of technological development and social disruption, and Geneva as a constructive, human rights-oriented policy space, set the tone of the discussion. Recent calls from the private sector to advance discussions on a cyber treaty, brought forward the need to have a shared understanding of the vulnerabilities, issues and prospects of cyberspace. If a cyber incident amounts to a kinetic attack, international law applies, but for everything in between, there is a ‘grey zone’, just as there is for a distinction between ‘civilian’ and ‘military’ in digital terms. Previously, key conventions have been negotiated with the involvement of non-state actors in equally sensitive fields, such as the Biological and Toxin Weapons Convention or the Chemical Weapons Convention.

On its journey, the Internet data packet is first tested physically: the integrity and correctness of the code are essential, as there is no bug-free software or liability for software in place. While we are getting better at writing and verifying software in safety-critical applications, trust in the ability of others, who are unknown to us, to fix it is gradually eroding if we can no longer distinguish between good and bad intentions.

To diminish the risks of interference and misuse, the Internet data packet should be protected by a community that understands infrastructure, relevant technology and invests in security. Suggestions were made to eliminate the prevalent ignorance and complacency about security, also distinguishing between IT security and cybersecurity. The latter concerns a criminal network with a goal. Effective co-operation needs to include users (to notify about breaches) and providers (to react to vulnerabilities or breaches) working together. Regulation can also be used as a carrot to incentive and a stick to sanction those who do not comply, thus increasing the overall level of security.

When it comes to the framework for state action, different instruments are currently deployed. In addition to the guidelines provided by the UN Group of Governmental Experts in their 2015 report (11 voluntary norms), international law, and in particular the UN Charter, includes provisions on the use of force, the interference in the domestic affairs of states, the peaceful means to solving conflicts, but also, self-defense. International customary law covers state responsibility, even when using proxies, and due diligence for international wrongful acts that apply to digital space. In international humanitarian law, if the kinetic dimension is reached in cyberattacks, cyber means amount to armed conflict. Moreover, the human rights obligations of states apply online, as they do offline (e.g. freedom of expression). Confidence building measures, such as the ones put forward by the Organisation for Security and Cooperation in Europe (OSCE), represent additional means to strengthen collaboration at the global level. With this multi-layered framework in place, it is important to build awareness and strengthen the capacity of states to understand and apply it before new binding rules are discussed.

When discussing the attribution of risk and responsibility, there is a danger of substantive fragmentation: we have global technologies, but local laws and there is an overlap of regulations and sets of conflicting norms, that may be detrimental or counterproductive. The question here is whether we can move from the Geneva Digital Talks to policies, or even to the Geneva Digital Courts to address the needs of regulators. As the birthplace of international arbitration, Geneva has a unique role to play in the attempt to solve Internet-related disputes.

From a digital economy perspective, the Internet data packet has recently been carrying more and more sensitive records, including health and personal data, or social security information. With the advent of the Internet of Things (IoT), we will move from cyber to digital security in a much broader sense. Every second, 95 passwords are stolen around the world, showing that security by itself is no longer enough. There is a need to move from security by reaction to security by interaction. The Internet giants that operate most online services need to be brought into the conversation about norms, key responsibilities and regulation.

The Geneva Digital Talks will continue with a series of events in the build-up to the Internet Governance Forum. The focus of the GDT will be set on the following aspects, identifying key competencies available in Geneva: technological, legal, social and political.

The eleventh Symposium of the Future Networked Car took place on 9 March 2017, during the 87th edition of the Geneva International Motor Show. The Symposium was jointly organised by the International Telecommunication Union (ITU) and the United Nations Economic Commission for Europe (UNECE). The main objective of the event was to offer a platform for a fruitful discussion among different stakeholders – vehicle manufacturers, governments and Information and Communications Technology (ICT) industries – on the future of vehicle communication and automated driving.

The session started with opening remarks from Mr Malcolm Johnson, Vice Secretary-General at the ITU, who stressed the importance of bringing together multiple stakeholders in order to foster technological innovation. In particular, he underlined the crucial role of the ITU as a UN-mandated agency that has successfully brought together and facilitated the convergence between two communities: industry and ICT sectors. The Symposium has seen growing participation in the last years, and has attracted more than 170 participants in 2017.

Ms Eva Molnar, Director of the Sustainable Transport Division of UNECE, joined Mr Johnson in stressing the importance of co-operation, not only between different industry sectors, but also between different agencies – as is the case with the ITU and UNECE. In particular, her speech approached vehicle automation from a regulatory perspective: she reasoned on the relevance of the existing legal conventions vis-à-vis the latest technological changes and pushed for the development of harmonised regulations.

The event comprised five thematic panels, each discussing a specific aspect of vehicle automation.

The Executive Roundtable reflected on the advantages and challenges that automatic driving will bring to individuals and societies once such technology is spread on a larger scale. All speakers talked about the necessity of harmonising the standards regulating such technology among different countries.

In particular, Mr Anders Eugensson, Director of the Governmental Affairs Department at Volvo Car Group, analysed the benefits of automated driving for individuals in terms of costs, liability and accuracy of data. With the development of such technology, customers would purchase automated driving packages that would cost less than a car. Moreover, he considered that cars will operate autonomously, and, in case of accidents, the responsibility would not rely directly on customers. Finally, thanks to cloud connectivity technology, the data available to the car system will be more accurate.

The Second Panel reflected on the benefits of fifth generation mobile networks or wireless systems (5G) for the development of automated driving. The speakers agreed on the crucial role of 5G technology for automated vehicles, especially in terms of connectivity and communication among units. Mr Peter Vermaat, Chair of the Connected Vehicle Working Group at the Wireless World Research Forum, considered that as opposed to a cloud computing type of connectivity (i.e. storing and accessing data over the Internet), Peer-to-Peer (P2P) computing (interconnected communication among peers, i.e. automated vehicles) allows for increased safety and improved efficiency of communication, and reduces the need for infrastructures.

The Third Panel discussed how Artificial Intelligence (AI) will change current transport systems. All the speakers built their discussions on the benefits of automated driving discussed by the previous panellists. Furthermore, they focused mainly on the possible risks to individuals from the deployment of AI. They assessed such risks in terms of security (protection from cyber-attacks), personal data protection (privacy concerns) and social economic externalities (loss of jobs in the car industry or transportation sectors).

The Fourth Panel focused on the relationship between connected vehicles and automated driving. The panellists discussed the co-dependency of connectivity and automated driving: having accurate communication systems among vehicles is crucial for the development of automated driving systems on a larger scale. David Holecek, Director of the Connected Products and Services Division at Volvo Car Group, concluded that connectivity, autonomous driving and AI are the cornerstones that will develop the concept of fully autonomous cars rather than autonomous driving in the future.

The Fifth Panel concluded the session by focusing on the cybersecurity threats to automotive systems. The speakers discussed the consequences that connectivity has in terms of individuals’ security in particular. Based on an interconnected system, automated vehicles operate in a constantly-hostile environment, susceptible to hackers’ attacks, resulting in financial cyber ransom, car theft and loss of control over the vehicle.

The 47th WEF Annual Meeting, which took place in Davos-Klosters, Switzerland, on 17‒20 January, brought together leaders from across business, government, international organisations, academia, and civil society, to discuss several digital policy issues.

The future of the digital economy was an overarching theme for many sessions, exploring aspects such as the digital transformation of industries, the fourth industrial revolution and its implications (in areas such as gender equality and jobs), steps for shaping national digital strategies, the need for shared norms and rules for the digital economy, and trust-based collaboration among stakeholders. Security and crime in the digital era were part of the discussions, with a focus on multistakeholder approaches for tackling cybercrime, the cyber resilience of critical infrastructures, cyberwar and forms of manifestation, and terrorism in the digital age. During the meeting, WEF launched a report on Advancing Cyber Resilience: Principles and Tools for Boards. Prepared in collaboration with the Boston Consulting Group and Hewlett Packard Enterprises, the report outlines a series of principles and tools for companies to tackle cybersecurity risks and ensure the resilience of their information infrastructures.

The advancements in the field of Internet of Things (IoT) and artificial intelligence (AI) were also looked at during this year's WEF meeting, as participants explored policy implications and outlined the need for principles and standards to ensure that IoT and AI products bring benefits to society as a whole, while minimising the risks (in areas such as social inclusion, privacy, and security). Trustworthy online information, a topic that has attracted a lot of attention lately, was also discussed, with a focus on possible modalities for balancing freedom of expression with the need to educate users on how to differentiate between real and misinformation.

In addition to contributing thir views to these and many other discussion tracks, WEF participants used the meeting as an opportunity to launch new initiatives and agree on future actions. In one such example, major financial service providers (e.g. Mastercard, Visa, and Paypal), global IT and telecom companies (e.g. Ericsson and GSMA), and intergovernmental organisations (e.g. the United Nations Development Program and the United Nations High Commissioner for Refugees) agreed on six principles on public-private cooperation aimed at facilitating digital cash payments in crisis-affected populations.

As has been the case at many other high-level events recently, the Agenda for Sustainable Development also featured high in Davos. On a more general level, world leaders discussed the challenges of globalisation and the increasing anti-globalisation trends. Many of the debates revolved around the need to identify modalities for reforming the governance of globalisation processes, with a view to improving them and making them better suited to contribute to global growth and development.

Other resources

The survey, which polled 9,000 individuals from nine countries (Australia, Brazil, Canada, France, Germany, India, Mexico, the United Kingdom, and the United States), offers insights into how end users see the evolution of smart homes, as well as into users’ concerns regarding the security and privacy risks associated with IoT connected home devices.

The set of guidelines contain recommendations on how to mitigate security threats and weaknesses in Internet of Things services. It includes guidelines for service ecosystems, endpoint ecosystems, and network operators.

The document provides guidelines for public and private organisations when plannins and organising the selection and validation of smart city technologies. It describes the types of testing and assessments to consider in order to select the most secure vendors and technologies.

The document provides guidance for the secure implementation of Internet of Things (IoT)-based systems. It provides an overview of IoT security challenges threats to individuals and organisations, and outlines several security control mechanisms that could be used to mitigate such challenges and threats.

GIP Digital Watch

Submit Content

The GIP Digital Watch observatory reflects on a wide variety of themes and actors involved in global digital policy and Internet governance. We welcome information and documents from your organisations. Submitted content will be reviewed and published by our team of knowledge curators.
You can submit your content at digitalwatch@diplomacy.edu